November 25, 2013
Maintaining a Strong Defense with Layered Security
A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.
This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.
Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.
As the table shows, only one of the tools had an average score above 5.
We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.
Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Maintaining a Strong Defense with Layered Security:
September 30, 2013
Securing All the Links in the Chain: Third-Party Payment Processors
Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).
The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.
Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.
Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.
A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.
Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.
Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.
We would like to hear what processes your institution has in place to monitor processors.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:
August 19, 2013
Curbing Identity Theft and Fraud
To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.
A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.
Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.
New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.
The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.
Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.
Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.
As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.
We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Curbing Identity Theft and Fraud:
October 15, 2012
When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore
This post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.
P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?
Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.
But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.
P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?
Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.
Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.
Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.
P&R: Is fraud mainly an online problem today?
Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.
TrackBack URL for this entry:
Listed below are links to blogs that reference When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore:
September 24, 2012
Alternative Financial Services Grow, and So Do the Unbanked and Underbanked
The just-released 2011 FDIC national survey on unbanked and underbanked households reports that this demographic segment has shown modest growth since the 2009 survey. Despite improvements in the general economy, 20.1 percent of U.S. households are underbanked and 8.2 percent are unbanked completely. According to the FDIC's definition, underbanked consumers may have a traditional bank account, but they rely heavily on alternative providers for financial services (shortened to AFS in the FDIC report). As we described in a previous post on nonbanks, the landscape for AFS today is a highly dynamic free-market environment that fosters creativity and innovation. Will the confluence of a growing underserved market and the ever-expanding role of nonbanks in our U.S. payments system fuel the fire for increased reliance upon AFS in general?
Growing use of alternative financial services
The growing reliance on AFS became more widespread between 2009 and 2011. According to the 2011 FDIC report, about 25 percent of all households, including the unbanked and underbanked, reported using AFS in the last year. These AFS users report finding nonbank financial services more convenient, faster, and less expensive than traditional banks.
Every day, many new types of nonbanks, including telecom firms, are entering the payments space, as we noted in this 2009 post on mobile money transfers. More recently, social networks like Facebook and PayPal-like payment business models such as Dwolla are entering the fray. Regulators of money transfer operators are working diligently to ensure that the myriad of new firms in the business are appropriately licensed and regulated. The fast pace of nonbank entry is creating a confusing regulatory environment and potential vulnerabilities that bad actors may find opportunities to exploit.
The growing appeal of prepaid
The 2011 FDIC report also notes that the unbanked and underbanked households rely on prepaid cards more than do fully banked households. One in 10 households overall reported the use of a prepaid card. The proportion of unbanked household that have used a prepaid card climbed from 12.2 percent in 2009 to 17.8 percent in the last survey.
The fact is, prepaid card adoption has been on the rise for some time. The Fed's last triennial payment study reported it to be the fastest growing retail payment method. The expanded functionality for prepaid payments today make them practical for many uses, including payroll, travel, and the provision of benefits. Consumers can purchase prepaid cards from merchants and other nonbank locales where they might be more comfortable than they would be in a traditional financial institution.
This is all good news in the context of financial inclusion and expanded opportunity for the unbanked to participate in the electronic economy and shift from more informal transfer methods. However, payments experts still have concerns. In particular, there is the risk that violators of money laundering laws may go undetected as stored-value payments move from the plastic card to other access devices such as mobile handsets. FinCEN and other regulators will need to keep these issues front of mind as adoption grows and more nonbanks participate in the prepaid industry.
Implications for policymakers and financial institutions
The report concludes that one particularly noteworthy lesson for banks to consider is the need to make traditional financial products more convenient, faster, and less expensive in order to compete with AFS. They should try harder to appeal to the under- and unbanked by providing expedited availability for deposited funds to compete with check cashers. The report even goes on to say that banks might find it useful to promote mobile technology to increase convenience, the most commonly reported reason that households use nonbank check cashiers. With the growing use of prepaid cards for both federal and state government benefits, astute financial institutions may recognize other opportunities to provide prepaid services that may eventually shift the unbanked and underbanked to more a formal banking economy.
However, one clear trend is that technology is driving entrepreneurship in payments delivery methods in unexpected ways, with new AFS services announced all the time. In the long run, AFS may not be considered alternative any more, shedding the negative reputation that label traditionally implies. If new payments are cheaper and faster, perhaps they deserve a less jaundiced eye.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Alternative Financial Services Grow, and So Do the Unbanked and Underbanked:
August 13, 2012
Tourism Traffic Boosts Prepaid Cards
Prepaid cards, at least until 2010, were the fastest growing payment method in the United States, according to the Fed's latest payments study. Their use is also growing in other markets, including Latin America in general and Brazil in particular, especially for funding tourism activities. Brazilian tourists are increasingly choosing rechargeable prepaid travel cards loaded with U.S. currency over cash. Interestingly, U.S. banks are also realizing economic benefits from tourists' move from cash to prepaid cards.
Growing South Florida tourism drives Brazilians to spend more
Brazilians make up the second largest tourist group to Florida, next to Canadians (3.3 million of whom visited the United States in 2011). Last year, approximately 1.5 million Brazilians visited Florida. They spent more than a billion dollars total, with a per-visit amount typically exceeding $5,000. Altogether, the Fed Atlanta's Miami Branch paid out $1.7 billion U.S. dollars to Brazil.
A number of factors are contributing to the rise in Brazilian tourists to Florida, including the high number of available flights, expedited processing for travel visas, significantly lower prices for many designer brands coupled with the absence of Brazilian import tax, and relatively cheaper real estate prices.
Brazilian tax rule, other factors influence credit card spending abroad But why are these tourists increasing choosing to use prepaid cards? In 2011, the Brazilian government imposed a new financial operations tax of 6.38 percent on foreign transactions made with Brazilian-issued credit cards. The tax, called the IOF—short for Imposto sobre Operações Financeiras—makes using credit cards abroad very unattractive for Brazilians.
Prepaid travel cards also offer more favorable exchange rates, and they insulate consumers against rate fluctuations by offering a fixed exchange rate on all purchases.
Banks in Brazil also benefit from prepaid cards used abroad. Transportation and custody expenses make it costly for Brazil's commercial banks to obtain and hold U.S. dollars. As a result, these banks are actively promoting prepaid cards. U.S. commercial banks quickly seized the opportunity to compete with their Brazilian counterparts by rolling out marketing campaigns in Brazil promoting the benefits of prepaid travel cards for U.S. travel.
All these conditions and incentives have combined to create a 50 percent rise in travel card applications by Brazilians shortly after the tax regulation was introduced.
Brazil offers an interesting case study of the growth in the use of prepaid payment cards. Just as U.S. consumers beyond the unbanked are recognizing the ease and convenience of this payment device, so are international consumers.
By Paul Graham, assistant vice president and branch operations officer, Miami Branch of the Federal Reserve Bank of Atlanta
TrackBack URL for this entry:
Listed below are links to blogs that reference Tourism Traffic Boosts Prepaid Cards:
April 23, 2012
Consumer protection: What to do when the consumer’s the threat?
How much for a cockroach in my take-out? What should the burger joint give me for gaining weight from eating their cheeseburgers? Consumers seeking a quick payday through frivolous lawsuits are old news in the food industry. What you may not know is that financial institutions must battle the same problem, as malicious actors twist consumer protection legislation for their own profit.
An American Banker article described how a federal court in Pennsylvania dismissed a lawsuit brought against a credit union claiming that one of their ATMs lacked a mandatory Electronic Funds Transfer Act (EFTA) sticker disclosing fees. This was just one in a string of lawsuits filed by the same plaintiffs. Some financial institutions have decided to settle instead of taking their chances in court. Some of the plaintiffs mentioned in the American Banker article have apparently decided to make a living by scoping out ATMs where stickers have fallen off or been removed, making transactions at these machines, and then filing suit against the unsuspecting operator.
This consumer behavior represents a type of second-order compliance risk. In addition to the formal consequences of noncompliance with regulation, financial institutions (FI) must also consider that some bad actors may attempt to undermine their compliance efforts. As a practical matter, FIs can manage this risk by validating EFTA compliance each time the ATM is serviced. As the machine is being refilled with cash and receipt paper, servicers should check for the disclosure sticker and have extras on hand in case it has been removed. The FI should maintain records of verification and/or replacement.
These lawsuits also raise larger questions. The other week I blogged about how the Federal Reserve has at times attempted to correct market failures in the payments industry. However, the unintended consequences of legislation discussed in this post demonstrate that government failure is also a risk. Government failure is any time that a government intervention to overcome a market failure results in a less efficient outcome than if no action had been taken. The case of these ATM vigilantes shows that legislation meant to protect the consumer can sometimes be used to justify wasteful lawsuits. In addition to determining if there is a legitimate market failure to correct, policymakers also need to consider the potential for government failure and unintended consequences of regulation before passage.
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Consumer protection: What to do when the consumer’s the threat?:
April 16, 2012
Online and mobile banking create many front doors
"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.
An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.
The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.
Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.
Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.
Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.
Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.
Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.
Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.
With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.
By Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Online and mobile banking create many front doors:
March 05, 2012
Generations of payment innovations
Bob Kennedy is a director and payments expert in the Fed Atlanta's supervision and regulation department. As Bob prepares for retirement next month, we sat down to talk about his thoughts on the retail payments environment in the United States.
P&R: Bob, you've gained a reputation in industry circles as an expert in the payments field and a frequent speaker at industry events with a long and distinguished career in bank supervision. Can you tell us a little about your background and your retail payments experience?
Bob: I actually come from a banking family. My grandfather actually set up a bank in the 1890s in a small town in rural Alabama to provide simple financial services to businesses and over time it grew and expanded to more consumer-based financial services. My father took over the business and employed me as early as age 12 on the teller line one day a month after school, authenticating customers who came in to cash their social security checks.
Payment services were pretty simple back then. At our little bank, customers had traditional demand deposit accounts but we did not issue checkbooks. So when they wanted to make a purchase at a merchant they would use counter checks and fill in their account information. The merchant would call my father at the bank to verify the customer's identity and funds availability.
By the 1960s, things were getting more complicated. Our customers were starting to shop more in nearby cities, so they asked us for preprinted checkbooks. My father lost an important control when we started to issue these, but we recognized the need to change with our customers so we could keep their business. Then in the 1970s, our customers demanded credit cards. The point of this history summation is that the family bank had to change to adapt to consumer demand. The same holds true today as we continue to see disruptive forces that are changing the payments business.
P&R: How would you characterize the general landscape today for bank adoption of emerging retail payments?
Bob: I would characterize the landscape as exciting because nothing is static—there is a lot going on, and we're seeing community banks beginning to adopt new types of payments. Banks are adapting to consumer demand, as before, but at the same time they need to be able to find a reward for providing the product or service, and that's in the form of revenue or customer retention. They have to have a use case for offering new services.
One of the biggest drivers of change in retail payments these days is the demand for payments data, which has become a virtual treasure trove in the sense that it provides tangible evidence about consumer decisions about products and services. A consumer who buys something has made a clear decision about the product, the retailer, and the date and time when he or she makes the purchase. This is why data mining is becoming so important to merchants in developing marketing strategies.
For example, a large retailer with a decoupled debit card may obtain information about individual consumer spending habits that it uses to help understand future potential consumer choices about products and services. According to a recent article by Charles Duhigg in the New York Times, this retailer has collected tons of data on every regular customer they have. With a "Guest ID" that the store assigns to these regulars, they track everything they buy. I believe this is why a lot of big nonbank firms like Google and PayPal are trying to establish a foothold in retail payments through the introduction of new payment channels. They recognize the monetary value of payments data at the point of sale.
P&R: What are the primary risk concerns for banks in retail payments today?
Bob: There are multiple risks for banks to consider, including operational and liquidity risks. Clearly, for U.S. banks, strategic risk is critical today with nonbank firms introducing disruptive innovations and evolving as a competitive force for banks that must remain relevant and profitable at the same time. They are forced to continually assess their business models as a result. On the positive side, we are seeing new partnerships. I read about the new alliance with Regions Bank and Western Union, leveraging each firm's agent or branch networks to provide remittance and banking services on a complementary, cross-selling versus competitive basis.
That brings us to vendor management. With banks outsourcing and partnering with nonbank, third-party firms, increased oversight for those relationships is required, along with more expertise at the bank level. For many community banks, hiring that level of expertise is challenging, and they need to rely on the risk management services from their core processors.
In addition, liquidity risk for banks in this new payments landscape has been heightened by the more rapid clearing and settlement of payment files.
Finally, security and privacy are big issues for U.S. financial institutions today, not only from a regulatory perspective but also—more importantly—from the need to protect the bank's reputation among its customers as a trusted payments partner.
P&R: What trends should industry stakeholders watch going forward?
Bob: Technological advancements are making our retail payment systems more effective, efficient, and easy. U.S. banks are doing a good job and approaching these new services and partnerships with sound due diligence. Retail payments will continue to change going forward, with disruptive services and nonbank firms appearing in ways we cannot predict. I think it will continue to be an exciting area to watch for a long time.
TrackBack URL for this entry:
Listed below are links to blogs that reference Generations of payment innovations:
January 17, 2012
How risky? The elements of an effective payments risk management program
Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.
He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.
Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.
Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.
Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:
- Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
- Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
- Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
- Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.
The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."
DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.
To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program: